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[57] 



ABSTRACT 



A method of the present invention includes a network 
security system that has a single point of access control to a 
source computer system. The network security system pro- 
vides various mechanisms for securing access to a source 
computer systems that includes generating single-use 
encryption keys, generating random port assignments for 
communication between devices, an asynchronous message 
protocol used in the security system and utilizing various 
levels of transaction tables to help secure and manage 
security parameters of the system. More particularly, the 
present invention provides a method for securing access to 
a plurality of computers connected via a network. An 
indication is received that a first user of a first computer 
program module desires to communicate with a destination 
computer system. When this indication is received, a mes- 
sage is directed to a security computer system. The security 
computer system determines whether the first user is autho- 
rized to access the destination computer program module of 
the destination computer system. If the security computer 
system determines that the first user is authorized to access 
the destination computer system, the security computer 
system sets up a communication protocol between the first 
computer program module and the second computer pro- 
gram module. 

20 Claims, 10 Drawing Sheets 
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//USER IDENTIFICATION 
// USER NAME 
//USERPASSWORD 
//USER ROLE 
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NETWORK SECURITY AND INTEGRATION communicating over the network. For example, a business 

METHOD AND SYSTEM may provide a graphic advertisement over a computer 

network, an interactive request system to a special database 

FIELD OF THE INVENTION set up for user interaction, or an interactive processing 

™_ 4 . , , . 4 - 5 system that enables a customer to interact with a company's 

The present invention relates to security systems for 4 rnal uter network Compaaies usually des Vto 

computer networks and to integrating security systems with enable cuslomers to access the internal company network t0 

an existmg network. perform simple important tasks that reduce company 

BACKGROUND OF THE INVENTION overhead, such as processing banking account information 

10 or room scheduling for a hotel. 
Computer use and the electronic transfer of information Although providing access to a company network and 
has increased substantially among home and business com- systems is desirable in many situations, it is not always 
puter users. The growth in computer use has spurred a practical for several reasons. For example, the internal 
demand for creating computer networks to facilitate the networks of companies often contain confidential data such 
transfer and sharing of information. For example, many J5 as inventory data, customers accounts, price structuring 
companies provide computers for most, if not all employees, information, business leads and plans, and other business 
to facilitate the exchange of information among the employ- critical data While tnis type data may DOt be genera Uy 
ees via a computer network. Many companies have reduced accessed by customers, some customers or users may be 
cost associated with computing by adopting client/server sldlled m de f ea ting general security measures of computer 
networks to aid in the transfer of information between 2Q systems and may access the confidential information. Corn- 
company computer systems. Networks within a business are puter users who attempt to compromise computer security 
often referred to as local area networks (LANs). A local area systems are often referred t0 as compu ter hackers or crack- 
network is a group of computers and other devices disbursed ers< Therefore, security concerns often can make access to a 
over a relatively limited area and connected by a commu- company's network risky or impractical. Additionally, many 
nications link that enables any device to interact with any 2$ companies have invested from several thousand to millions 
other on the network. LANs often include microcomputers, of dollars on com puter systems that incorporate mainframe/ 
mainframe computers and shared resources such as printers i egacy systems. These mainframe/legacy systems are often 
and hard disks. Many LANs can support a wide variety of specially designed for the business to process information 
computers and other devices. The devices connected to the quickly and efficiently in the business' environment. 
LAN must use the proper physical and data-link protocols 3Q However, these legacy systems are not readily adaptable to 
for the particular LAN, and all devices that communicate mteract direct i y with public networks such as the Internet to 
with each other use the same upper-level communications facilitate customers use. Particularly, the messaging systems 
protocol. of these legacy systems are not adapted to interact efficiently 
By using client/server networks, companies consolidated with the Internet public network. Furthermore, because 
many of their computer processing applications, databases 35 legacy systems are custom designed systems, it can be a 
or needs in a central computer processing center. With a difficult task for a manager of the system to continually 
central computer processing center containing most if not all update the programming of the system to allow customers to 
the computer programs and databases of the company, access new or updated systems on the network and to 
programs that provide scheduling, inventory monitoring, account for a changing customer base, 
order placement, account processing, or data exchange pro- 40 with respect to the security of systems, many companies 
cessing necessary for efficient management of the business use a computer protection device, known as a firewall, in 
may be readily obtained by a distributed group of workers. association with the company computer server that provides 
By providing a centralized operating environment with access to tne Internet. A firewall is a device located on the 
company records and programs, employees of large com- Internet that examines the information in a header of a data 
panies have access to and know of transactions being carried 45 communication and blocks entry if the header information 
out or performed by other employees at the office although contains or does not contain certain information. An expe- 
the employees may be located in different office buildings or rienced computer hacker can monitor Internet traffic and 
different floors of the company. Therefore, several employ- obtain the node address of an authorized or trusted user of 
ees can work independently of each other to schedule t he company's computer system then fake the address to 
customer appointments, take orders, process accounts and 50 obtain access to the company's computer system. A firewall 
have the data records of the company updated in a central- does not prevent such deception. Current firewall technol- 
ized facility so as to avoid duplicative or conflicting actions. 0 gy provides limited protection against professional hack- 
As computer use and network use has increased in ers. Additionally, firewalls only provide protection measures 
companies, so to has computer use and network use for information contained in headers and header information 
increased among individual home users. While these home 55 only contains standardized information as promulgated by a 
users do not generally set up a special network to commu- standards committee for Internet protocol. Due to the stan- 
nicate with other home users, the home computer users, as dardized nature of headers, firewalls do not provide flexible 
well as businesses, can gain access to a global computer security options. Because the firewall is an Internet device, 
(wide area) network often referred to as the Internet. By once this Internet security measure is broken the companies 
gaining access to the Internet, all types of computer users 6Q records are exp osed to the remputer hacker, 
may be connected. gjiEhua tttjgflS 

Because many companies are aware of the growth of ^rtfi^aten bpen-^ 
computer use in most environments, these companies seek 

to reach these users or potential customers through a com- ^f^rdg^by^^illl^^^onal^ there is^n^ed ! 1t^th^a|f 

puter network, which is most often the Internet computer 65 for~a-ne twork-security- system J^^ 

network. Many companies reach the potential customers by puter network that incorporates specialized computer sys- 

providing one of several different types of methods of terns to be used in connection with an open network without 
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substantial modification to the specialized computer sys- indication is received that a first user of the first computer 

tems. Furthermore, there is a need for a network security program module desires to communicate with a source 

system that may be easily managed by a network security computer system. In response to the indication, digital 

manager. signatures are used to authenticate that the request was 

5 received from a trusted user. Next, a first set of tables is 

SUMMARY OF THE INVENTION accessed that contains identification information which indi- 
cates whether computer users have access privileges to the 

Generally described, the present invention provides a comput er system, or systems, being managed by the 

network security system that provides a single point of security system. Next, a second set of tables is accessed to 

access control to one or many source computer systems. The determine whether the requested source computer module 

present invention provides various mechanisms for securing 10 exists, and is known to the security system. The second set 

access to source computer systems that includes generating of tables identify the source computer program modules 

single-use encryption keys, generating random port assign- available for access on the second computer system, or 

ments for communication between devices, using an asyn- systems, being managed by the security system. Next, a third 

chronous messaging protocol in the security system and set of tables is accessed that specify whether the first user 

utilizing various levels of transaction tables to help secure 15 has access privileges to the indicated source computer 

and manage security parameters of the system. program module. The third set of tables identify the source 

More particularly described, the present invention pro- computer modules to which specific users have access. 

vides a method for securing access to a plurality of com- Fmall y; » four h set of tab !f s h f a d . to de *™ ne lf * e 
,. itv- . « . . requested system is available (on-line), and to provide 
puters connected via a network In this method, an indication 2Q ad 4 dressi mformation for lhe source computer. Following 
is received that a first user of a first computer program these steps, the user is enabled to access the indicated source 
module desires to communicate with a source computer computer module from the first computer program module if 
system over the network. When this indication is received, the user ^ authorized to access the source computer system, 
a message is directed to a security computer system. The # me identified source computer program module is con- 
security computer system, functioning as an access control 25 tained in the second set of tables, if the identified source 
manager to the source computer system, determines whether computer program module is contained in the second set of 
the first user is authorized to access the source computer tables, if the third set of tables indicate that the user has 
system. If the security computer system determines that the access privileges to the indicated source computer program 
first user is authorized to access the source computer system, module, and if the source computer is operational (on-line), 
the security computer system sets up a communication 3Q BRIEF DESCRIPTION OF THE DRAWINGS 
protocol between the first computer program module and the ™„ - . 

i ^nmt^ „ r ^r, m 'j,,^ FIG. 1 is diagram of the network components used in 

second computer program module. . . it _*. c j . j • . flL ^ , 

„ , & . . , , . connection with the preferred embodiment of the network 

Additionally, the communication protocol that is set up security system 

between the first computer program module and the source _ T _ - . c * 

K , • . i , At - . j FIG. 2 is a diagram of a customer or user computer system 

computer system may be terminated if a selected time period « J* r / 

is exceeded Also, setting up the communication protocol connection with the present invention, 

may include selecting, in response to the step of receiving } \f * * dia f am ° f Web 

the electronic communication, one port of the multiple ports t0 haodle netw ° rk taction traffic between a user com- 

of the source computer system to be used for communication ? uter s y stem and application server computer system as used 

of information over the computer network between the first 40 m connection with the preferred embodiment of the network 

computer program module and source computer system. The security system. 

first computer program module communicates with the FIG. 4 is a diagram of a security server used in connection 

source computer system via the selected one port and the ^ the P resenl invention that operates to control access to 

source computer system communicates with the first com- an application server computer system, 

puter program module via the one port. The one port is 45 FIG - 5 is a diagram of an application server computer 

preferably selected by a randomizing selection program system used in connection with the preferred embodiment of 

module. The port may be changed for each transaction by the the network security system. 

randomizing routine. FIG. 6 is a diagram that illustrates the messaging protocol 

Another method of the security system may include utilized in connection with the present invention, 

providing encryption keys to a first computer program 50 FIG. 7 is a diagram of the transaction tables database used 

module and a second computer program module where each in connection with the present invention, 

program module is stored in a computer system. One step of FIG. 8 is a diagram of points within the network security 

the method includes receiving a message that is to be system in which data may be logged, 

encrypted. In another step, a message specific encryption FIG. 9 is a diagram of the data format that indicates which 

key is generated in response to receipt of the message. The 55 network points are to receive logging data, 

message specific encryption key is transmitted to the first pi<-;. 10 is a diagram of the data format that indicates 

and the second computer program modules. The first and where to log data at the network points, 

second computer program modules are operative to use the FIG. 11 is a diagram of a representative message format 

message specific encryption key to encrypt or decrypt a used m connection with the preferred embodiment of the 

message transmitted between the first and second computer go present invention. 

program modules. Message specific encryption keys are FIGS ^ ^ Uc ^ ^ Ue are flow diagrams of 

preferably single-use encryption keys that are newly gener- me processes of the present invention, 
ated for each message transaction that is to occur. 

Another computer-implemented method of the present DETAILED DESCRIPTION OF THE 

invention includes authenticating and granting access privi- 65 INVENTION 

leges to a user of a first computer system who wants to Referring now to the drawings, FIG. 1 illustrates the basic 

communicate with a source computer program module. An components of a network security system 10 as used in 
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connection with the preferred embodiment of the present limiting the duration of the transaction between a user 

invention. The network security system 10 of the present computer system and the source computer system to the 

invention may serve to integrate devices not designed for general transaction time, a computer hacker does not have 

use with the protocols of a particular network. Particularly, time to stay on the computer system long enough to analyze 

the network security and integration system of the present 5 or significantly alter applications or corrupt data within the 

invention enables ia|PjjiMatffl^ sou^ computer system. 

ciated with-a-pailicuia HBfu^ „ c . , r , • c ^ , 

g^m^m^^ ^^^m^m s^m^. . ru efer ! bl \ many °, f,he a , ulhonzau ° D func ?? ns p erfo ™ ed 

b . .-^^iJw«^ rai4ff * ♦ 1 - in the network security system are performed in conjunction 

^actaonsr.oxer&tht^ novate network 12 -a.* vi *l , •/ .1 j j c lu 

^SWWHWtiwWff'^NWMi^ "■' 1 J in lai^csftgfl^fci^^^. v - -w^ ^ ) A n with tables that specify the users and passwords for the user, 

ofa:egmpAitgrsi isMseje.ureSAThe nerwonrsecunty-system 10 in A . a . , \ i tU . t . r . , c 

iipMBKiMQijram • t i , c 10 the dine rent levels of authorization required for access to 

BhelpsgtoMsecure^traHsa^tions on the private network of . . . . r ^ . . . , 

. . ■ . r * i * *u systems, transactions, or information protected by the net- 
computers by using a smgle point of access control to the J , u 4 mm.* t . 4 J 4 . . 

• . - i ^ • i • . r * i . *i_ work security system 10. The transaction tables constructed 

private network. The smgle point of access control to the , , J . . . . U1 

r . t . . r i_i ■ i j , and used according to the present invention enable a security 

private network is preferably implemented as a network « ■ « . t .. ^ 

r n i i »u . r *t. . * manager of the network security system to easily manage 

security server. Particularly, the system of the present inven- 1S , & , 4 , ., ^ . J , 6 

. i 15 and update access privileges when users change or when 

tion utilizes a network security server to authorize and set-up \ 4 .u *_ i i_ j j * j 

. .. . . . J . t computer systems on the network are changed or updated. 

communication between two computer program commum- r J * r 

cation modules. ^ Preferred Operating Environment 

The network security server ensures that a user seeking 
access to a source or destination computer system is an 2 o Before providing a detailed description of the systems and 
authorized user. The network security server also uses methods of the present invention, a brief description of the 
encryption techniques to help ensure the confidentiality of preferred operating environment and the equipment of the 
messages being delivered. The network security server oper- operating environment is provided. Referring to FIG. 1, the 
ates to set-up and secure the communication channel network security system 10 includes many components that 
between the two computer systems using a unique messag- 2 5 °P erate 10 secure transactions and integrate components of 
ing protocol. More specifically, the network security server one network to another. The network security system 10 
generates single-use public transaction encryption keys for ensures that a computer system 16 is authorized to access 
each transaction that is to be performed by a user or users. application servers 20 over a computer network, such as the 
The network security server delivers the single-use public computer network 22. These security processes or measures 
key to each of the communicating systems. This key is then 30 taken by the network security system 10 are preferably 
used by the two communicating systems for encrypting or controlled by the security server 24 in response to a corn- 
decrypting messages delivered between the systems for the puter system 16 attempting to access the application servers 
particular transaction. By generating a single-use public key 20 over the open computer network 22 or the internal 
for each transaction to take place, the security of the system computer network 26. The open computer network 22 is 
is much more difficult to be compromised because a hacker 35 preferably the computer network commonly referred to by 
could not readily discover a continually changing public mose skilled in the art as the Internet, 
encryption key. Even if a single-use key was discovered or The Internet is a network of computers that connects 
guessed for one transaction, the key would be different for many governmental, university, and private computers 
the next transaction. together and serves as a means for making a vast quantity of 

The network security system 10 further enhances security 40 information available to computers connected to the net- 
by generating random port assignments on which commu- work. Computers, such as computers 16, that have access to 
nications between the two computer systems are to take a computer network are generally referred to as being "set 
place. The network security server delivers the randomly up" on the computer network. When a device has a connec- 
generated port assignment to each of the computer systems tion to the network, the device communicates over the 
so that when a communication is to be made between the 45 network using an appropriate network protocol, such as 
systems, each of the systems knows the port on which the Transport Control Protocol/Internet Protocol (TCP/IP), 
communication is to take place. By using a port selection Hypertext Transfer Protocol (HTTP), and generates graphics 
randomizing routine, a computer hacker cannot monitor or via Hypertext Mark-up Language (HTML). In general, a 
mimic a single port in which communications are to occur personal computer may be set up on the Internet by sub- 
to obtain confidential data or to corrupt data because the port 50 scribing to an Internet service provider or other on-line 
assignments for the data being accessed is changed with service company that provides a connection to the Internet 
each transaction. Randomizing port assignments for each for the subscribing computer owner. It should be appreciated 
transaction in combination with generating a single -use that information updates and communications within the 
public key for each transaction, provides a significant level communication network used in connection with the present 
of security beyond conventional network computer systems. 55 invention may be accomplished by a variety of network 

Conventional computer security systems limit access to a protocols or languages known by those skilled in the art. 
particular system by requiring a password, user id, prede- The computer system 16, which alternatively may be any 
termined node addresses and specific protocols. However, in appliance operable to communicate over a network, is 
addition to these measures, the network security system connected to an Internet server computer 30. The Internet 
described herein is enabled to limit access of an authorized 60 server computer 30 is connected to the computer network 22 
user to specific systems, specific transactions available on and enables the computer system 16 to communicate via the 
the system and specific times in which a user may access the computer network 22. When an Internet connection is pro- 
data of the system. Additionally, the network security system vided by the Internet service provider responsible for the 
provides a security measure that aborts a transaction if the Internet server computer 30, the computer system 16 may 
transaction exceeds a certain duration of time. The duration 65 seek access to an application server 20 that controls access 
allotted for a particular transaction is based upon the time in to applications or objects. Each of the application servers 20 
which it takes to generally complete the transaction. By has to an object 21 (e.g. application) that contains the 
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computer programs and data used to process a desired 
transaction of a user of the computer system 16. 




titffllsliyerl^^ data 



dG^guter. s^st£ro*16* to display » th^ Options 



available for^access^to^ web 
^il^^r^^fepj|ses^tfie data^messages-from-the-computer 
^stemll'6tffb_^ the 10 

computer systeffl 161fesires<Q\access thejfpplication.servers 
20. T?5e^ee^fes^ry^^ the, 
ccomputer^yslSn~K^is^ ^ 
application s^rvere^0j!3ntP^^ 

_ac«^;;particula^ that execute on the 15 

application^^^^20. 

Devices that are connected to the Internet utilize 
addresses to access a particular computer or server on the 
network. The ad^e^es_usually_have_a.specific,format_such 

ipaTtsHliei^ second 
Iparrc^^^^Sh^^^^^. A commonly used notation for 
Internet host addresses~is the dotted-decimal, which divides 
the 32-bit address into four 8-bit fields. The value of each 
field is specified as a decimal number, and the fields are 
separated by periods (for example 010.002.000.052 or 
10,2.0.52). Communication between two computers also 
requires use of ports. A port can be thought of as an endpoint 
for communication between systems. Each system has over 
64,000 ports. Thus, a computer system 16 may access the 
web server 32 using the address, 10.2.0.52, and using 
specific port numbers (e.g., port 7171). 

Referring to FIG. 2, the general components of a com- 
puter system 16 is described. One aspect of the computer 
system 16 includes a graphical user interface system 41 
operating in conjunction with a display screen 34 of the 
display monitor 36. The graphical user interface system 41 
is preferably implemented in conjunction with the operating 
system for displaying and managing the window objects of 
the system. It should be appreciated that the interface used 
with the present invention operates in connection with a 
"web browser" 39 as commonly known in the art. 

Although the present invention is described in conjunc- 
tion with a conventional desktop computer, it will be appre- 
ciated that the present invention may be utilized in other 
types of computer systems that use a window based display 
system. The graphical user interface system 41 is imple- 
mented as part of the computer system 16 to receive input 
data from a conventional keyboard 42. Cursor keys on the 
keyboard 42, a mouse, trackball, or other pointing device 
may be used to move a cursor on the display monitor 36 for 
selection of various options. 

For simplicity of the drawings, many components of a 
standard computer system have not been illustrated such as 
address buffers, memory buffers and other standard control 
circuits because these elements are well known and illus- 
trated in the prior art and are not necessary for an under- 
standing of the present invention. A computer program used 
to implement the various processes of the present invention 
is generally located in the memory unit 38, and the processes 
of the present invention are carried out through the use of a 
central processing unit (CPU) 40. Those skilled in the art 
will appreciate that the memory unit 38 is representative of 
both read-only memory and random access memory. The 
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CPU 40 is typically implemented as a single-chip micro- 
processor. The CPU 40, in combination with computer 
software, such as an operating system 51, an application 
program 44 (optional), and browser 39 controls the opera- 
tions of the computer system 16. The operating system 
software 51, in conjunction with the browser 39 and appli- 
cation program 44 (optional), controls the allocation and 
usage of hardware and software resources such as memory, 
CPU time, disk space, and peripheral devices. The bus 53 of 
the computer system supports communications of control, 
address, and data signals between the CPU 40 and the 
remaining components of the computer system 16. The 
memory unit 38 and the CPU 40 are connected by the bus 
53 which is designed to provide an electrical interface 
between computer system components. The processes 
implemented by the CPU 40 may be communicated as 
electrical signals along the bus 53 to an input/output device 
via input output interface 45. A network connection 47 is 
provided to connect to a computer network. The network 
connection may be a modem, LAN connection or other 
suitable network connection mechanisms. Other computer 
systems used in connection with the present invention 
operate in a similar manner but have program modules that 
vary depending on the function of the component computer 
system. 

Referring to FIG. 3, a description of the web server 32 is 
described in more detail. The web server 32 includes a 
central processing unit 60, a memory unit 62, a computer 
system bus 64, network connection 65, and an I\0 port 
interface 66. The I/O port interface 66 contains a plurality of 
ports 67 that are used to communicate with external devices, 
such as an object 21. In a typical implementation, the web 
server contains over 64,000 ports. The memory unit 62 of 
the web server 32 contains several program modules 
including, an operating system 71, a gateway program 
module 72, a control application 73, and a web server 
database 74. The gateway program module 72 transfers 
information received from a computer system 16 and con- 
verts the information to a form compatible with the data 
formats used in the security server 24. The gateway program 
module 72 returns information to the web server in a format 
defined by the Common Gateway Interface (CGI) specifi- 
cation. The web server returns this information to a user to 
indicate to the user, the objects, or applications available to 
the user at the site accessed by the user. The web server 32 
includes a router 76, an object processor 78 and an encryp- 
tion module 80. The router 76 routes requests for services 
from user applications of the computer system 16 to the 
security server 24. As generally discussed above, after the 
security server 24 authorizes the desired transaction, the 
gateway program module 72 communicates directly with 
application servers 20 in order to complete a desired trans- 
action. During the communication with the application 
server 20, the object processor 78 receives outputs from 
objects 21. The encryption module 80 encodes and decodes 
messages transmitted in accordance with the present inven- 
tion. The encryption module 80 encrypts messages when the 
web server 32 receives a request from a user of computer 
system 16. The encryption module 80 encrypts the messages 
being transferred from the web server 32 to the security 
server 24 and the application server 20. The encryption 
module 80 decrypts messages received from the application 
server. 

Referring to FIG. 4, a description of the security server 24 
is described in detail. The security server 24 includes a 
central processing unit 81, a network connection 82, a 
memory unit 83, a computer system bus 84, and an I\0 port 
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interface 85. The security server 24 communicates with 
external computer systems or devices via the I\0 port 85. 
The security server 24 provides a single point of control for 
performing the security and administration services of the 
network security system 10. The memory unit 83 contains a 
security control application module 86, a random port gen- 
erator module 88, an encryption module 90, operating 
system 91, transaction tables 92, and a dynamic key gen- 
erator module 94. The security control application module 
86 manages the coordination of the processes of the various 
modules implemented at the security server 24. The encryp- 
tion module 90 decrypts messages delivered to it from the 
web server 32 and the application server 20 and encrypts 
messages delivered to the web server 32 and the application 
server 20. The transaction tables 92 are accessed for each 
transaction desired by a user. The transaction tables 92 are 
accessed to determine whether the transaction exists, 
whether the system on which the transaction resides is 
active, and whether the user has authority to implement or 
use the transaction desired by the user. If the user is an 
authorized user for the transaction, the random port genera- 
tor module 82 and the dynamic key generator module 94 are 
activated to generate a random port number and single-use 
public key, respectively. As known to those skilled in the art, 
a TCP/IP computer has more than 64,000 ports. The random 
port generator module 88 randomly selects an unused port 
for which a communication between an application server 
20, within a range defined by the system administrator, and 
a user computer system 16 is to communicate for this 
particular transaction. Additionally, the dynamic key gen- 
erator module 94 generates a random public key to be used 
by the application server 20 and the web server 32 during 
communications between the two systems. The transaction 
specific port and the single-use public key are transmitted in 
an encrypted message to both the application server 20 and 
the web server 32, as discussed in more detail below. 

Referring to FIG. 5, the application server 20 used in 
connection with the present invention is shown in detail. The 
application server 20 contains a CPU 95, memory unit 96, a 
computer system bus 97, an I\0 port interface 98, and a 
network connection 100. The I/O port interface 98 includes 
a plurality of ports 99 that are used to communicate with 
external devices, such as the web server 32. The memory 
unit 96 contains various application modules used in con- 
nection with the application server 20. The memory unit 96 
contains an operating system 102, an object manager pro- 
gram module 104, an encryption program module 106, and 
objects 21 (one object illustrated). The object manager 
program module 104 selects and 
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Message Protocol 

As discussed above, an advantageous aspect of the net- 
work security system 10 is the single point of access control 
between user computer systems 16 and application servers 
20, as well as the messaging protocol used in communica- 
tion between devices of the network security system 10. 
Referring to FIG. 6, a messaging protocol as occurring 
between a single computer system user 16 and an applica- 
tion server 20, is discussed to illustrate the protocol and 
operations performed in conjunction with the processes of 
the present invention. When a user of computer system 16 
accesses the web server 32, the user may select a desired 
transaction that is displayed in response to the users access 
of the web server. When the user selects an object or 
transaction to be executed, message 1 (messages are repre- 
sented by encircled numbers) is sent from the web server 32 
to the security server 24. The gateway component of the web 
server 32 is executing a CGI gateway which means that the 
request was initiated from a web browser or from a JAVA 
applet. It should be appreciated by those skilled in the art 
that a computer system user may interface directly with a 
gateway module that is not part of a web server.^jH§T~ 
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crfotoi^Sptiic^c 

moj^y^^^ra^o^hose ^I^^^th^r^^dn"tnV|;aieway 
.pro^amtjmij^ for a transaction on an 

a^llc^o^^ver^H^uitrbnly information available at the 
gateway module is the node address and port that is to be 
used to address the security server 24. 

Several functions are performed by the security server 24 
upon receipt of the message 1. The security server 24 first 
decrypts message 1 then authenticates that message 1 was 
received from an authorized gateway program module*^ 
^ligite^ignatarecg 

thafcthe-&gital-s^ 

^sj^i^^d. After determining that the gateway program 
module is authorized, the security s erver 24 determi nes 
40 whether a user is authorized^ilreiseg^^S^SSS^eSe's^es — — 
^ratEarj$ a|j^ ^ 

aeiffm?dimfm?useras7r^^ that are used to 



objects 21 of the computer system. The encryption program 
module 106 encrypts and decrypts messages transmitted to 
and from the security server 24 in connection with the 
present invention. Trie object typically resides on the appli- 
cation server 20. Each object 21 consists of a message router 
124, an encryption/decryption module 122, and object appli- 
cation code. The object manager 104 initiates execution of 
the object application code. The object 21 executes and 
performs the desired transaction by a user of the computer 
system 16. The application module is executable code 
preferably developed by the user organization. It usually is 
written in the C programming language. The encryption/ 
decryption module 122 encrypts data processed by the 
object 21 before the message is routed back to the appro- 
priate web server 32 by the message router 124. r iTie 
message router 124 outputs information via an I/O port that 
was randomly selected by the security server 24. 



verifj^^^mera^er^^ptnorized to perform a certain 
45 transaction are the user table, object table, node table, and 
roles table. These tables are searched to determine if a user 
can access a particular object during a certain time and 
whether time constraints are imposed on certain nodes. The 
nodes table provides the node address of the computer 
initiates execution of 50 system on which the transaction is to be executed. 



60 



If the user is authorized to perform the desired task given 
the constraints defined in the transaction tables, the dynamic 
key generator module 94 generates a single-use public key 
to be used for encrypting and decrypting data transmitted 
between the object and the gateway components of the web 
server 32. Additionally, the random port generator module 
88 implements a randomizing routine to generate a random 
port number that is to be used for the transmission of 
information between the object and the gateway component 
of the web server 32. Generally, a range of acceptable 
addresses is defined by the system administrator from which 
the random port number is selected. The security server 24 
also assigns a transaction time-out value for the transaction 
as determined from the object table. After the security server 
24 performs each of these functions, the security server 24 
sends a message to the object manager 104 of the application 
server 20. 
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Message 2 contains information that authorizes the object security server module is out of the messaging loop at this 

manager 104 of the application server 20 to perform specific point of the transaction. When the web server 24 receives a 

tasks and provides the encryption keys and port addresses to message 5, the web server delivers message 6 back to the 

be used for the transmission of data between the object and object 21 as a confirmation message that the data sent by the 

the gateway components of the web server 32. Additionally, 5 object has been received. In_the^system-of-"the-present 

the object manager evaluates the time-out values for the mventioj^ jata sent-by-tte obje^ 

transaction. The application server 20 initiates execution of JSa^ieo^^ ^f^Snd to imlttQ^e^perforrnance. For example, 

^%i1fflffle*?n^rt records would be < 



the requested object and passes certain information to the ^^Ifflfflesnorti records would be combined, or blocked, into 

object as indicated at 140. The information is transmitted to a single message to reduce the number of messages on the 

the object using either temporary files, shared memory or 10 network. The gateway program then returns the information 

message queues. A run-time component of the message to the user program either through an application program 

protocol is linked with user- written object code. These run interface (API) or by a common gateway interface (CGI) 

time components are the message router 124 and encryption program specification, 

program schedule 124. This run-component uses informa- Transaction tables 

tion from the object manager 24 to control execution of the is Referring to FIG. 7, the transaction table database is 

object and to return output to the gateway program module described in detail. The transaction table database 92 con- 

of the web server 32, tains the tables that are accessed or used by the security 

If the time-out value for the transaction is exceeded, the server 24 when determining whether a user is authorized for 

object execution for this transaction is aborted and this event the transaction that the user seeks at the current time. The 

may be logged. As discussed above, by limiting the time of 20 transaction table database 92 contains four different types of 

a transaction over the network to a predetermined execution tables: users tables 701, objects tables 703, roles tables 705, 

time, the time in which a computer program hacker has to and nodes tables 707. A user's table 701a is representative 

tamper with or corrupt an application or data is very limited. of the information contained in the individual user's tables 

Therefore, the time limit for execution of a transaction and the transaction table database 92. The user table speci- 

provides a further security measure in addition to the single- 25 fies users that have access to one or more application servers 

use public keys and random port selection method. 20 which is verified by a user name and password. The user 

When the object manager of the application server 20 table 701a contains a user identification (ID) field 704a that 

initiates execution of the object, the object manager sends functions as a key for this table, and contains a user name 

message 3, asynchronously, back to the security server 24 to field 706a that specifies a user's name and has a user 

confirm to the security server 24 that the object is executing. 30 password field 708a that specifies the password of the user. 

When the security server 24 receives the message 3, the If a user enters correct data that satisfies these fields or 

security server 24 sends message 4 to the gateway program requirements of one of the tables, the role ID 710a is 

module of the web server 24. Embedded in the encrypted evaluated. The start and stop times for the role are specified 

message 4 is the single-use public key generated by the in fields 712a. If a user inputs the correct user name and 

dynamic key program module 94 that is to be used for 35 password contained within the user tables 701, and the 

decrypting data transferred between the gateway program request satisfies the time constraints imposed in the users 

module and the object. The single-use public key is the same table 701, the security server 24 searches the object's table 

key transmitted to the object manager of the application to determine whether the object which the user desires to 

server in message 2. This single -use public key is unique to access is in one of the object's tables. An object table 703a 

this particular transaction. For subsequent transactions, 40 is representative of the information contained in the object 

another single-use public key is generated for the then table. The object table 703a contains an object ID field 720a, 

occurring transaction. a node ID field 722a, an object description field 724a, an 

The message 4 also contains the port number and time-out object time stamp field 726a, an object version field 728a, an 

value assigned to it for the transaction. Sending messages 3 object level field 730a, an object currency field 732a, and an 

and 4 asynchronously, with the execution of the object, 45 object name field 734a, an object option field 736a, and an 

provides enhanced performance characteristics as compared object time limit field 739a. The object node ID field 722a 

to previously known systems that are implemented over an specifies the node at which the object resides, the object time 

open network. Conventionally, in open network systems stamp field 726a specifies the time at which the object was 

such as the computer network 22, only one step of a added to the objects table, and the object version field 728a 

multi-step messaging protocol is performed at a time before 50 describes the version of the object of the table. The object 

preceding to the next step. However, the network security currency field 732a specifies the times at which an object 

system 10 of the present invention enables the transmission can be accessed. The object name field 734a specifies the 

of messages 3 & 4 asynchronous with the execution of the name of the object. The object log option field 736a enables 

object, therefore providing enhanced performance charac- logging of messages associated with a specific object and the 

teristics. Improvements in performance due to use of the 55 object debug option enables a choice of what level of detail 

asynchronous method of the present invention over a syn- to be included in the log for security and debug purposes, 

chronous method can range in time improvements from The object time-out limit specifies the duration that the 

several milliseconds to several seconds per transaction object may be accessed by the user during any given 

depending on system and network loads and characteristics. transaction. 

When the gateway component of the web server 32 60 If the object exists in the objects table 703 and the time 

receives the message 4, the gateway component prepares the constraints imposed on the object is satisfied, a search is 

program modules to receive data from the object using made in the role tables 705 associated with the user to verify 

information provided in message 4. This information in that the user is authorized to access the object. The role table 

message 4 is the port number, single-use public key and 705a contains a role ID field 752a. The role ID field 710a in 

time-out values. When the object finishes executing the 65 the users table is matched with the role ID field 752a in the 

desired transaction, the object transmits message 5 directly role table to determine the role associated with the user. The 

to the gateway components of the web server 32. Thus, the role table 705a has a role description field 754a, and a 
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security token field 756. The role description field describes Telnet. The interface includes a Web server which supports 
the role. For example, the role description field may contain communication in an open network protocol between the 
"Read Account Balance." The security token contains an Web server and the client program. A gateway module at the 
authorization switch for each object authorized for access by Web server converts messages from the client programs to 
the role ID 7S2a. 5 a proprietary data message format. The proprietary data 
If all of the authorization conditions specified in the user message format is robust enough to support different types 
table, object table, and role tables are passed, the node tables 0 f legacy objects such as applications, databases, and other 
707 are accessed. For example, the nodes table 707a con- utilities. The object manager maps the message in the 
tains a node ID field 762a, a node address field 764a, a node proprietary protocol message to an application command or 
description field 766a, a node port field 768a, a node code 10 database query which is sent to the legacy object. The 
page field 770a, a node byte ordering field 772a, a node response of the legacy object is mapped by the object 
platform field 724a, a node status field 776a, and node manager to the proprietary format which may be encrypted 
currency fields 778a. The node ID field 762a contains the by the security module and transmitted to the gateway 
node ID for the specific table. The node address specifies the module. The gateway module converts the response in the 
address of the node identified by the node ID. The node as proprietary format to the open network protocol for trans- 
description field describes the node that is to be accessed and mission back to a user. 

the node port field specifies the default port for the node. The ^ ides an mterface between ^ aQd a 

node code page held is used to specily the country code , ^ Because br0WSCTS 

use graphic user interfaces 

page. Code pages are used to define the international lan- (11Gur); ^ ^ afe abk tQ take advant of the ^ t/ 

guages and special characters that are known to the com- 20 of , bmwser GU , modification of a 

puter systems. The node byte ordering field specifies the k object ^ m ako ides ^ advanta of 

type of translation might be required to map data between usi , sm k m format tQ communication 

computer systems. Some computers record data internally m betwefin ^ Web ^ modul ^ oij . man . 

lnrn,r £ /, nr ' '^fi ^T?™ * agers. Such a system extends the useful life of apphcation 

EBCDIC. The .node platform field specifies the platform on 25 s ^ databases oa legacy main£ram e systems, 

which the node resides and the node status field specifies ' , ., „ , . . . 

whether the node is on-line or off-line. The node currency c Specifically, the system of the present invention maps 

field 778* specifies the times at which the particular node ^ tom Amencar. National Standard Code for Information 

mav be accessed Interchange (ASCII) to extended binary-coded decimal 

While these transaction tables provide an efficient method 30 interchange (EBCDIC) and vice versa; big Endian byte 

for specifying the various operations that a user may per- °^ erm S t0 httle Indian byte orderuig and vice versa; and 

form in a relational manner, the use of the tables as identified CGI to le § ac y and ? e f to H ™ ^ ~*™ k 

above also provides for ease of administration. For example, 5L S ^J ra ?f lates lD [ 0rmatl0n be f™ a ASC " a °d *c 

in large computing environments such as institutional bank- EBCDIC ; ^ translation k used, for example if the 

ing environments that are making computer systems avail- 35 S atewa y 15 exe ™^ on an AS CII machine and the object is 

able to their customers over the network, a system admin- executing on an EBCDIC machine, 

istrator must update users that are authorized to use the system of the present invention translates binary 

system because the bank acquires new customers each day control information from big Endian byte ordering (also 

and also loses customers. Thus, the system administrator known as network byte ordering) to little Endian byte 

must account for these users by updating the records of the 40 ordering (for example, the Intel format). This translation is 

bank. Additionally, companies frequently replace existing used > for example, if the gateway is executing on a Motorola 

systems with newer systems and consequently the newer or RISC microprocessor and the object is executing on an 

systems or updated systems must be modified or made I nte l machine. 

accessible to the users of the computer system. In prior If the gateway interfaces to a Web server, the information 

systems, a system administrator often would have to repro- 45 that the browser passes to the gateway is passed in a specific 

gram or code the new system to be operable with the existing format as defined by the common gateway interface speci- 

customers and clients on a network. However, utilizing the fication (CGI). Information in the CGI format is translated 

transaction tables of the present invention, a security admin- and transformed into a format that is accessible, useful, and 

istrator may simply access and revise information in the easily manipulated by the legacy application. Also, infor- 

node table and/or objects table to ensure that the new system 50 mation returned by the legacy application to the Web server, 

will operate in conjunction with users that are authorized to must be in the HTTP format. Therefore, the system of the 

use a specific function that was replaced or updated. Thus, present invention maps information received from the Web 

the transaction tables as described herein provides a system server to a CGI proprietary format for transmission pur- 

that is easily manageable. poses. The object manager executing on an application 

Message Mapping Between Web Server and Legacy Sys- 55 server maps the information to a programming interface 

terns (GETENV) that is commonly supported on well-known 

The network security system 10 is particularly adapted to legacy operating systems and defined in ANSI, SAA, POSIX 

enable existing computer systems of a company to be and XPG4 programming specifications. Programming to the 

integrated in an open network such as the Internet computer HTTP format is accomplished using another programming 

network 22 (FIG. 1). The system provides an interface 60 interface (SPRINTF) which is defined in the ANSI, SAA, 

between client programs executing on computers coupled to POSIX and XPG4 programming specifications. The system 

an open network and computer applications on legacy of the present invention returns the information to the 

mainframes/large processing systems. Often these systems gateway handling the ASCII to EBCDIC and big to little 

are controlled by a UNIX operating system. The client Endian conversions and blocking and deblocking of data, 

program may be a web browser or other program for 65 but does not modify the HTIT format. As indicated in the 

communicating messages over an open network in a variety node byte ordering field 722a of the nodes table 707 (FIG. 

of open network protocols such as HTTP, FTP, e-mail and 7) the messaging format may be specified in the node table. 
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Transaction Logs Referring to FIG. 10, the table 1000 indicates what 

Referring to FIG. 8, the four points of logging control information should be logged at the locations indicated by 

supported by the network security system 10 as illustrated. the information of table 9. Referring also to table 7, the 

Logging information refers to tracking certain information object table 905 has a field labeled "object debug option 

related to the processing of the information or transactions s 73^" which specifies what should be logged. The position 

on the network. By logging information at particular points, variables 1011, 1012, 1013, and 1014 correspond to the web 

an administrator operating or monitoring certain aspects of 9en/CT 32> securit Kn/cr 24> application ktwt 2 0, and 

the network security system 10 may determine or observe obj tivd ^ m mnocedon ^ FIG . 9. 

relevant histonca information witti regard to the processing Table im ^ nas deb values mo which cif what 

01 messages and transactions on the network. The network „ . . 1 j * *i_ «• 1 -n j . 

security system 10 provides four points at which information 10 shou , ld * lo &? ? * c Particular position by the 

may be logged. The four points at which information may be P 0Sltl0n variables 1002. A value of "0> indicates that detail 

logged is at the web server 32 indicated by log data 802; the errors are 001 10 be lo S& ed " A value of 1 "^ates that a 

security server 24 indicated by log data 804; at the appli- lime stam P» or tltne al whlch the messa S e through the 

cation server 20 as indicated by log data 806; and at the system should be included. A value of "2" indicates that data 

object 21 as indicated by log data 808. Referring again to 15 ^ t0 be lo gg ed at a ste P DV ste P leve l (i-e., at selected 

FIG. 7, the object table 705 has an object log option field checkpoints within the web server 32, security server 24, 

734a in which a value may be inserted that specifies where application server 20 and object)- A value of "3" indicates 

data is to be logged on any of the particular systems. For that all input messages should be logged in hex format. A 

example, the value inserted in this field may specify that the value of "4" indicates that all output messages should be 

data is to be logged at the web server 32, security server 24, 20 logged in hex format. 

application server 20, or object 21 and further specifies For example, a debug option of "2222" specified in the 

where to log the data at those systems. object table 705 at the debug option field 736a having a 

Referring to FIG. 9, a table is provided that indicates how value of "2222" specifies a certain logging level, 

the log data is encoded for use with the system of the present Specifically, the value of "2222" in the debug option field 

invention. The log table 900 has two columns: a "scope" 25 736a (FIG. 7) indicates that logging should occur at a step 

column 902 that specifies the location at which the data by step level at the web server 32, security server 24, the 

should be logged in the system and a log column 904 that application server 20, and the object 21. A value of "0314" 

specifies where at the location the data is to be logged. The in the debug option field 736a of the objects table indicates 

location at which data is to be logged may be indicated by that no errors are to be logged at the object level; input 

one of four values in a location sequence field 910. The 30 messages should be logged in hex format at the application 

location sequence field 910 has four locations, location 911, server, a time stamp should be logged at the security server 

location 912, location 913, and location 914. Each of the and output messages should be logged in hex format at the 

locations 911, 912, 913, and 914 correspond to one of the Web server 32. 

specific points within the network security system 10 in This system of logging is very advantageous. Because all 

which information may be logged. The values specified in 35 logging parameters are defined at the object level, the system 

the location sequence field 910 determines where to log the administrator can select in a relatively easy manner a very 

information at the particular system. Referring to column detailed logging for security sensitive transactions. 

902, the device at which data should be logged at a particular Additionally, using the logging method specified, a system 

point within the system is indicated. For example, a "0" in administrator may specify a very detailed level of informa- 

any of the log locations 911, 912, 913, or 914 indicates that 40 lion to be recorded for debugging purposes, 

no log is to be provided for the corresponding system. A Message Formats 

value of "1" in a log location indicates that the logging Referring to FIG. U, a table 1100 shows the formats of 

information should be logged to the display of the particular the messages delivered between systems of the network 

system. A value of "2" in any of the locations indicates that security system 10. Table 1100 shows the various fields that 

the information should be logged to disks at the location 45 may be included and messages delivered according to the 

indicated by the position variable. A value of "3" indicated messaging protocol of the present invention. Table 1100 also 

at any of the position variables indicates that the information includes sample data that may be included in a field and 

should be logged to both the display and to the disk. With indicates what information is included in the particular 

respect to the position variables, a value in location 911 messages as delivered according to the system of the present 

indicates that the information should be logged at the 50 invention. While many fields are available for use, not all 

gateway according to the logging variable; a value in fields are relevant or used in each transaction between 

location variable 912 indicates that the information should systems of the network security system 10. The selected 

be logged at the security server 24 according to the logging fields included in various messages include FromNode field 

variable; a value at location variable 913 indicates that the 1104, a FromTime field 1106, a FromCodePage field 1108, 

information should be logged at the application server 20 55 a FromByteOrdering field 1110, a FromPlatform field 1112, 

according to the logging variable; and a value in the location a FromDataMode field 1114, a Password field 1116, a 

variable 914 indicates that the information should be logged LogOption field 1118, a DebugOption field 1120, a User- 

at the object according to the position variable specified. Name field 1122, a UserPassword field 1124, a UserlD field 

For example, a log option defined as "2222" indicates that 1126, a Sequence number field 1128, an Object field 1130, 

the user desires to log information only to disk at the web 60 a PublicKey 1132, a TargetSocket field 1134, a TargetAd- 

server 32, the security server 24, the application manager 20, dress field 1136, a ReturnCode field 1138, a GatewayData 

and the object 21. A log option of "3011" indicates that field 1140, an ObjectData field 1142, and an EndData field 

information at the object level is to be logged to both the disk 1144. A GatewayData field 1140 contains information spe- 

and the display; information at the application server level cific to the Web server. The ObjectData field contains 

should not be logged; and that information at the web server 65 information supplied by the browser 39 and End of Data or 

32 and the security server 24 should be logged only to the End of Record codes. The target socket field contains the 

display. node number used by the web server 32 to communicate 
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with the security server 24. Return codes of RerurnCode 
field 1138 are used to communicate error conditions. 

The FromCodePage field 1108 specifies whether ASCII or 
EDCBIC is used as discussed above. The Byte Ordering field 
1110 specifies whether the big or little Endian should be used 5 
as specified above. The messages column 1107 indicates 
which fields are included in which messages. A numbers in 
the message column of FIG. 11 in association with a 
particular field indicates that that field is included within the 
message specified in the column and the number associated 10 
with the "end" field indicates the total number of fields 
included in each message. 

Processes of Present Invention Referring to FIGS. 12a, 126, 
12c, 12d and 12e, the processes implemented in the pre- 
ferred embodiment of the present invention are described. At is 
step 1202, if the Gateway component is executing as a CGI 
Gateway to a web server, the user's request is initiated from 
a web browser or from a JAVA applet. After a user has 
invoked a web browser or JAVA applet, the user enters the 
address of the web sever at step 1204 which initiates access 20 
to the computer systems of the present invention. At step 
1206, the transactions or object options for selection are 
presented to a user. The process then proceeds to step 1208 
where a user enters a user name and password. The user 
name and password could also be provided by the JAVA 25 
applet or HTML code. The user may then activate or request 
that an object for transaction be executed at step 1212. At 
step 1214, the web server 32 determines that the information 
input should be passed to the security server 24. Before 
sending a message to the web server 24 that includes the 30 
information input by the user, the web server 32 encrypts, at 
step 1216, the message and includes a digital signature in the 
message for authentication and data integrity purposes. It 
should be appreciated that a variety of encryption methods 
as known by those skilled in the art may be used such as 35 
DES, Triple DES, DESX, RC2, RC4, RC5, IDEA, or RSA. 
The web server 32 then sends at step 1218 the encrypted 
message to the security server 24. 

Referring to FIG. 126, the processes occurring at the 
security server 24 are described. At step 1222, a security 40 
server receives and decrypts the message sent from the web 
server 24. At step 1224, the security server 24 checks 
whether the message came from an appropriate source by 
verifying that the digital signature is correct. The process 
then proceeds to step 1226 where the authorization check for 45 
the user transactions begin. At step 1226, the user tables 
stored in the transaction tables database are accessed. The 
process then proceeds to step 1230 where a determination is 
made whether the user has entered an authorized user name 
and valid password. If at step 1230, the user did not enter a so 
valid user name or valid password, the process proceeds to 
step 1232 where the transaction is aborted. If the user did 
enter a valid user name and valid password, the process 
proceeds to step 1234. At step 1234, the object tables are 
accessed to determine whether the object or transaction 55 
selected by the user is available. At step 1236, the process 
determines if the object name is in the object table. If the 
object name is not in the object table, the process proceeds 
to step 1238 where the transaction is aborted. 

If, however, the object is in the object table, the process 60 
proceeds to step 1240 (FIG. 12c) where the roles tables are 
accessed to determine whether the user is authorized to 
access this object to perform the transaction. At step 1242, 
the process determines whether the user is authorized to do 
the transaction indicated as determined from the roles tables. 65 
If the user is not authorized to perform the specific 
transaction, the process proceeds to step 1244 where the 



transaction is aborted. If, however, at step 1242, the user is 
authorized to perform the transaction, the process proceeds 
to step 1246 where the nodes tables are accessed. At step 
1248, the process determines whether the node designated 
for the transaction is available and may be accessed during 
the current time period. If the node is not available to be 
accessed during the current time period, the process pro- 
ceeds to step 1250 where the transaction is aborted. 

If, however, the node may be accessed during the current 
time, the process proceeds to step 1252. At step 1252, a 
public encryption key is generated for this particular trans- 
action. At step 1254, a port number is randomly generated 
from the available ports. The port number generated from 
this randomizing routine is used as the port on which 
communications are to occur between an object and a web 
server. The process then proceeds to step 1256 (FIG. 12d) 
where communication set-up data is delivered. At step 1256, 
the security server 54 sends a transaction information, the 
public key for this transaction, the random port number for 
this transaction, and the duration value for the transaction to 
the object manager of the application server. The process 
then proceeds to step 1257 where the object manager may 
initiate execution of the object. At step 1258, the object 
manager of the application server notifies the security server 
24 that the object has begun execution. 

At step 1260, a security server 24 additionally sends a 
new public key, the port number, and the random node 
location to the web server 32. By generating a new public 
key for each transaction and separately sending these keys to 
the two systems that are to communicate, the security system 
10 of the present invention provides a security protocol that 
is difficult for a computer hacker to break. 

At step 1262, the current object execution time for the 
transaction is compared against the time limit for the trans- 
action. If the current duration for the transaction exceeds the 
time-out period at step 1266, the process proceeds to step 
1268 where the transaction is aborted. However, if at step 
1266, the transaction duration has not exceeded the time-out 
value, the process proceeds to step 1270a. At step 12 70&, a 
parallel process is initiated: at step 12706 a time monitor is 
initiated to monitor the execution time of the object and at 
step 1271 a program routine waits for completion of the 
execution of the object. If the actual execution time of the 
object exceeds the time-out value, the process proceeds to 
step 1268 where the transition is aborted. In parallel with 
process 12706, the system proceeds to step 1271 and waits 
for the object to complete execution. The line 1259 indicates 
that the process waits on a response from the object when the 
object begins execution. When the object completes execu- 
tion and provides the needed information, the process pro- 
ceeds to step 1272 (FIG. 12e). When the object has finished 
executing, the object encrypts, at step 1272, the data mes- 
sage with the private key for this transaction. At step 1274, 
the object outputs the transaction response on the random 
port supplied by the security server so that the object 
response is available to the Web server. The process then 
proceeds to step 1276. The gateway of the web server may 
then listen on the port supplied by the security server for this 
particular transaction. The executed transaction is displayed 
to the user at step 1278. The process then ends at step 1280. 

The foregoing relates to the preferred embodiment of the 
present invention, and many changes may be made therein 
without departing from the scope of the invention as defined 
by the following claims. 

What is claimed is: 

1. A method for providing a first computer with secure 
access to a destination computer, comprising the steps of: 
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receiving a first message from the first computer at a 
gateway requesting a function to be executed by the 
destination computer; 

directing the first message from the gateway to a security 
server; 

determining whether the requested function is permitted; 

if the requested function is permitted, transmitting a 
second message from the security server to the desti- 
nation computer authorizing execution of the function; 

initiating execution of the function at the destination 
computer; and 

while the function executes, asynchronously transmitting 
a third message from the destination computer to the 
security server confirming initiation of the execution of 
the function. 

2. The method of claim 1 further comprising the step of: 
transmitting a fourth message from the security server to 

the gateway while the function executes. 

3. The method of claim 2 further comprising the steps of: 
randomly selecting a communications port from a plural- 
ity of unused communications ports available at the 
gateway; 

including a value representing the selected communica- 
tions port in the second message transmitted from the 25 
security server to the destination computer; 

including the value representing the selected communi- 
cations port in the fourth message transmitted from the 
security server to the gateway; 

preparing the gateway to receive communications from 30 
the destination computer on the selected communica- 
tions port; and 

after the function has finished executing, transmitting a 
fifth message from the destination computer to the 
selected communications port of the gateway, the fifth 35 
message including a response associated with the 
executed function. 

4. The method of claim 2 further comprising the steps of: 
allotting a predetermined function execution time; 
including a value representing the predetermined function 40 

execution time in the second message transmitted from 
the security server to the destination computer; and 
terminating execution of the function if the time to 
execute the function exceeds the predetermined func- 
tion execution time. 

5. The method of claim 4 further comprising the step of 
logging the termination of the execution of the function in a 
log maintained at the security server. 

6. The method of claim 4 further comprising the step of 
including the value representing the predetermined function 
execution time in the fourth message transmitted from the 
security server to the gateway. 

7. The method of claim 2 further comprising the steps of: 
dynamically creating a single-use encryption key; 
transmitting the single-use encryption key in the second 

message transmitted from the security server to the 
destination computer; 
transmitting the single-use encryption key in the fourth 
message transmitted from the security server to the 60 
gateway; 

encrypting a fifth message with the single-use encryption 
key at the destination computer, the fifth message 
including a response associated with the executed func- 
tion; and 

decrypting the fifth message at the gateway using the 
single-use encryption key. 
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8. The method of claim 1, wherein the step of determining 
whether the requested function is permitted comprises one 
or more of the steps selected from the group including: 

accessing a first table to determine whether the user has 
input identification information contained in the first 
table; 

accessing a second table to determine whether the user is 
authorized access to an indicated program module of 
the destination computer; 

accessing a third table to determine whether the user has 
access privileges for the requested function; 

accessing a fourth table to obtain a physical address 
associated with the destination computer; and 

determining whether the requested function has been 
requested during a time when the destination computer 
is available for performing the requested function. 

9. The method of claim 1, wherein the first message is 
encrypted and contains a digital signature to authenticate the 
first message was received from an authorized first 
computer, further comprising the steps of: 

decrypting the first message; 

receiving the digital signature in the first message; and 
authenticating the first message by calculating a digital 
signature associated with the first message and com- 
paring the calculated digital signature to the received 
digital signature. 

10. The method of claim 1, wherein the step of executing 
the function comprises executing an object or completing a 
transaction. 

11. An apparatus configured to perform the method of 
claim 1. 

12. A computer storage medium, or a group of computer 
storage media, comprising computer-executable instructions 
for performing the method of claim 1. 

13. A method for providing a first computer with secure 
access to a destination computer, comprising the steps of: 

receiving a first message from the first computer at a 
gateway requesting a function to be executed by the 
destination computer; 

directing the first message from the gateway to a security 
server; 

determining whether the requested function is permitted; 

if the requested function is permitted, transmitting a 
second message from the security server to the desti- 
nation computer authorizing execution of the function; 

initiating execution of the function at the destination 
computer; 

allotting a predetermined function execution time; 

including a value representing the predetermined function 
execution time in the second message transmitted from 
the security server to the destination computer; 

terminating execution of the function if the time to 
execute the function exceeds the predetermined func- 
tion with execution of time while the function executes, 
asynchronously transmitting a third message from the 
destination computer to the security server confirming 
initiation of the execution of the function. 

14. The method of claim 13 further comprising the steps 



of: 



65 



while the function executes, asynchronously transmitting 
a fourth message from the security server to the gate- 
way; 

dynamically creating a single-use encryption key; 
transmitting the single-use encryption key in the second 

message transmitted from the security server to the 

destination computer; 
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transmitting the single-use encryption key in the fourth 
message transmitted from the security server to the 
gateway; 

encrypting a fifth message with the single-use encryption 
key at the destination computer, the fifth message 
including a response associated with the executed func- 
tion; 

after the function has finished executing, transmitting the 
fifth message from the destination computer to the 
selected communications port of the gateway, the fifth 
message including a response associated with the 
executed function; and 

decrypting the fifth message at the gateway using the 
single-use encryption key. 

15. The method of claim 14, wherein the step of deter- 
mining whether the requested function is permitted com- 
prises one or more of the steps selected from the group 
including: 

accessing a first table to determine whether the user has 
input identification information contained in the first 
table; 

accessing a second table to determine whether the user is 
authorized access to an indicated program module of 
the destination computer; 

accessing a third table to determine whether the user has 
access privileges for the requested function; 

accessing a fourth table to obtain a physical address 
associated with the destination computer; and 

determining whether the requested function has been 
requested during a time when the destination computer 
is available for performing the requested function. 

16. An apparatus configured to perform the method of 
claim 14. 

17. A computer storage medium, or a group of computer 
storage media, comprising computer-executable instructions 
for performing the method of claim 14. 

18. A method for providing a first computer with secure 
access to a destination computer, comprising the steps of: 
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receiving a first message from the first computer at a 
gateway requesting a function to be executed by the 
destination computer; 

directing the first message from the gateway to a security 
server; 

determining whether the requested function is permitted; 
if the requested function is permitted: 
dynamically creating a single-use encryption key, 
transmitting a second message from the security server 
to the destination computer authorizing execution of 
the function, and 
including the single-use encryption key in the second 
message; 

initiating execution of the function at the destination 

computer; 
while the function executes: 

asynchronously transmitting a third message from the 
destination computer to the security server confirm- 
ing initiation of the execution of the function, 

asynchronously transmitting a fourth message from the 
security server to the gateway, and 

including the single-use encryption key in the fourth 
message; and 
after the function has finished executing: 

encrypting a fifth message with the single-use encryp- 
tion key at the destination computer, the fifth mes- 
sage including a response associated with the 
executed function, 

transmitting the fifth message from the destination 
computer to the selected communications port of the 
gateway, the fifth message including a response 
associated with the executed function, and 

decrypting the fifth message at the gateway using the 
single-use encryption key. 

19. An apparatus configured to perform the method of 
claim 18. 

20. A computer storage medium, or a group of computer 
storage media, comprising computer-executable instructions 
for performing the method of claim 18. 
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